Certified product distribution methods: Breaking it down

When certifying your container images, Helm charts, or operators for OpenShift, you must decide the distribution and publication methods, which dictate how the end user consumes your product.  This topic can easily become a source of confusion. There are several options available, and it is often unclear when, why or how to utilize one distribution method over another.  What we will explore here is how to alleviate any remaining uncertainty on the subject.

Container image certification

Image

As of October 2022, in all cases for all new container projects, your container images remain hosted in a registry that you manage. Red Hat recommends Quay.io, but any Kubernetes-compatible registry may be used.

*A portion of container projects, created prior to October 2022, remain hosted by Red Hat because of functionality that is no longer enabled.

Red Hat Container Registry

Description: Your certified containers are made available on Red Hat platforms without additional registry steps by customers.

What it means: 

1. registry.connect.redhat.com will serve as a proxy address for your own registry. Customers will see the Red Hat registry URL; your registry location is hidden. 
2. Anyone with a Red Hat customer login can pull your container without needing special credentials for your private registry. Of course, they will not receive support if they are trying to use your product without purchasing.
3. You will not be able to track download metrics. You can see the amount downloaded, but no specific customer data. It will essentially look as if Red Hat is downloading them and the customers behind these pulls will be obfuscated.

NOTE: You must NOT modify or delete any container image when using this distribution method without first unpublishing the image from the proxy service (this can be done in your project’s ‘Images’ page.) Doing so without unpublishing causes the image to become unavailable for customers to pull, even though it will still appear as present in the Red Hat Catalog.  Think of the registry.connect.redhat.com proxy as an alias or symbolic link to your containers, which in reality reside in your registry. 

Who should use this:

• Partners who do not have their own registry to utilize
• Partners whose joint customers require hosting in registry.connect.redhat.com to simplify, in the case of OpenShift, their cluster registries. 

Red Hat Marketplace only

Description: Your certified containers are available exclusively via the Red Hat Marketplace. Customers must have an entitlement to pull your container.

What it means:  Customers AND partners need an entitlement provided by Red Hat Marketplace (owned by IBM) before they can access or pull your image.

Who should use this: We do not recommend this selection unless you are onboarding a certified Operator onto Red Hat Marketplace and you cannot utilize your own private registry to restrict access to your images. We advise you to reach out for more information before making this selection.

Your own Container Registry

Description:  Customers will need to add your registry to their Red Hat platforms to install your certified containers. 

What it means:  You are leveraging your own registry (it can be public or private). This URL is what is shown within the Red Hat Catalog.  You can control access and can easily see metrics.

Who should use this:  This is the recommended distribution choice for all partners.  Partners who have their own registry and do not need to leverage the Red Hat registry (because of joint customer preference, etc.) should select this option.

Helm chart

Image

Red Hat Helm chart repository

Description: Certified charts are placed in helm-charts.openshift.io and added to the repository index.

What it means:  Red Hat is hosting and distributing your certified Helm chart. Your Helm chart is visible in the Helm section of all OpenShift cluster versions the chart supports.

Who should use it:  Partners who do not want to leverage their own Helm chart repository.

External Helm chart repository

Description: Certified charts are distributed from your repository, and referenced in the index at helm-charts.openshift.io.

What it means: You are distributing your Helm chart from your own repository, and we reference it within the Red Hat Helm chart index.  Your Helm chart will be visible in the Helm section of all OpenShift cluster versions the chart supports.

Who should use it:  Partners opting to leverage their own repository.

Web catalog only (catalog.redhat.com)

Description: Certified charts are only available on catalog.redhat.com and not distributed to any repository index. 

What it means:  Your Helm chart will not be visible within OpenShift clusters.  You will have proof of certification and marketing through the Red Hat Catalog.

Who should use it: Partners who do not wish customers to install Helm charts from Red Hat and want to require them to go through the partner directly.

Operator

Image

OpenShift In-product Catalog (Certified)

Description: List on catalog.redhat.com, and publish to the Certified operator index in OpenShift’s OperatorHub.

What it means:  Your certified operator will publish to the embedded OperatorHub within every OpenShift cluster version that your Operator indicates support for (this is done within the annotations.yaml file of your metadata bundle).  Within OperatorHub, your operator will be visible under the “certified” filter. This is where customers will go to install the operator.  The certification will also be published and reflected within catalog.redhat.com.

Who should use it:  This is the most common selection. Select this if you do not plan on publishing to Red Hat Marketplace (owned by IBM) and if you do want your operator available in OpenShift clusters for install. 

OpenShift In-product Catalog (Red Hat Marketplace)

Description: List on catalog.redhat.com, and publish to the Red Hat Marketplace index in OpenShift’s OperatorHub.

What it means: This selection will require additional steps to onboard onto Red Hat Marketplace and create a listing on their website. This is entirely separate from the Red Hat certification workflow, and is done in direct coordination with the IBM team associated with RHM. Review the RHM partner documentation for more information.

Your certified operator will publish to the embedded OperatorHub within every OpenShift cluster version that your operator indicates support for (this is done within the annotations.yaml file of your metadata bundle). Within OperatorHub, your operator will be visible under the “marketplace” filter. 

Your OperatorHub listing will redirect to the Red Hat Marketplace site for purchase through IBM. Your customer will purchase there, provide their target cluster details, and then have the operator deployed subsequently. This is where customers will go to install the operator.  The certification will also be published and reflected within catalog.redhat.com and be specially indicated as a Red Hat Marketplace certification. IBM takes a percentage of sales for the provided service.

Who should use it:  Partners that require marketplace purchasing functionality for their product. It should not be selected in the hope of automatic exposure or increased transactions.  This should only be chosen if you need customers to purchase through a marketplace storefront. 

Web catalog only

Description: Your product will not be visible to customers within Red Hat OpenShift’s OperatorHub or Red Hat Marketplace indexes.

What it means:  You will only have a catalog listing for the purpose of proving and showcasing your successful certification.  Your operator will not be available in the embedded OperatorHub within OpenShift.

Who should use it:  If you do not want your operator visible to install in OperatorHub but need to prove certification to joint customers. 

If you have any comments or questions, please open a support case with our Partner Acceleration Desk.